4 Answers
4

To my understanding, the cron job for apt only cleans caches and/or updates meta-data related to packages, but it does not perform any upgrades of packages.

I, personally, discourage automatic updates, but at least Ubuntu offers to automatically apply security-related upgrades to packages during setup. I would assume a similar mechanism is in place for Debian.

I check package upgrades every time I log into a machine I manage (and apply them as required). Additionally, if I learn about a security vulnerability (or to be more specific, a patch for one), I log into all my servers and apply the upgrade.

I hadn't updated for almost a month because I thought only aptitude update was required. The machine is behind a router (firewall) so it should be ok right or do I need to reinstall?
–
firebirdJan 26 '12 at 14:45

@firebird If you think your system might have been compromised, investigate it. Just because you missed to install updates would not warrant a fresh installation for me.
–
Oliver Salzburg♦Jan 26 '12 at 15:44

You should update a Debian system (or any other Linux/Unix system) as soon as new security related updates are released.

The commands on Debian are:

#> aptitude update
#> aptitude safe-upgrade

Those commands refresh the list of available packages and upgrades the packages that are currently installed on your system.

I strongly suggest you to have a look at cron-apt, which is intended to be run via cron and update the system on regular basis. It is highly configurable and lets you specify how often the system should check for updates, if the updates have to be downloaded and/or installed, and few other things. It also notifies what has been done via email, which is extremely useful if you administer more than one system.

As for how often you should update, it is "at your discretion." While derivatives like Ubuntu have recommended settings, it really depends on your preferences - would you rather be up to date, or would you rather an update not break something until you are ready to deal with it?

On a desktop you use daily, a daily check is probably best - you want the updates the day they come in because you're using the machine regularly. On a server, I'd go for once a week or your regularly scheduled maintenance window. (If you don't have a maintenance window, now's a fine time to set one.)

On my router, where I run Debian's stable release, I install any relevant security updates as soon as they're released. I subscribe to the debian-security-announce mailing list so I know about new security updates. I also subscribe to debian-announce to learn about non-security updates, such as the upcoming 6.0.4 point release scheduled for this Saturday.

On my desktop, where I run Debian's "unstable" branch, I install updates every day.